#
Writen by

beansecure

UK business owner confidently managing Subject Access Requests on computer with data protection symbols, representing GDPR compliance and secure data handling.

If you’ve ever wondered “What exactly is a Subject Access Request?” you’re not alone. It’s one of those UK GDPR terms that sounds intimidating but is actually quite straightforward once you know what you’re dealing with. And if you’re a UK business owner, understanding SARs isn’t just helpful, it’s essential. Let’s break this down in plain English, shall we?

What is a Subject Access Request (SAR)?

Think of a Subject Access Request as someone knocking on your digital door and asking: “What information do you have about me, and what are you doing with it?”

Under UK GDPR, every individual has the right to ask any organisation for a copy of their personal data. This isn’t just limited to obvious things like names and addresses, it includes emails, CCTV footage, notes about phone calls, even internal communications that mention them.

Here’s what makes SARs different from a casual enquiry

  • They’re a legal right, not a favour
  • You must respond within one calendar month
  • They’re usually free (though you can charge for excessive requests)
  • Ignoring them can land you with hefty fines

Why Are SARs on the Rise in 2025?

Recent government research shows that data protection awareness among UK businesses has significantly increased since 2024, but so have the number of SARs being submitted. People are becoming more aware of their rights, and frankly, they’re not afraid to use them.

Common reasons people submit SARs

  • Checking what data employers hold after workplace disputes
  • Investigating potential data breaches
  • Preparing for legal action
  • Simply wanting to know what information companies have collected
  • Correcting inaccurate information

The Most Common SAR Mistakes (And How to Avoid Them)

According to the ICO’s latest guidance, these are the mistakes that trip up UK businesses most often:

The “It Wasn’t Sent to the Right Person” Excuse

The Mistake: Thinking you can ignore an SAR because it was sent to a general email address rather than a specific data protection contact.

The Reality: It doesn’t matter if someone sends their SAR to [email protected], [email protected], or even posts it on your social media. If you receive it, the clock starts ticking.

The Fix: Train your entire team to recognise SARs and have a clear process for forwarding them immediately to whoever handles data protection within your business.

The “We Don’t Have Much Data” Assumption

The Mistake: Assuming you only need to check obvious databases and forgetting about emails, backup systems, or paper records.

The Reality: Personal data can be lurking in places you’d never think to look such as old email threads, archived documents, even handwritten notes.

The Fix: Create a comprehensive data inventory. Know where your data lives before someone asks for it.

The “One Month Means 30 Days” Confusion

The Mistake: Counting 30 days from when you received the request.

The Reality: It’s one calendar month from receipt. If you receive an SAR on January 15th, you have until February 15th, even if February only has 28 days.

The Fix: Use calendar months, not day counts, and set reminders well before the deadline.

The “We Need More Information” Stalling Tactic

The Mistake: Asking for unnecessary information to delay responding.

The Reality: You can only ask for additional information if you genuinely cannot identify the person or locate their data. You can’t ask for their inside leg measurement just to buy time.

The Fix: Only request additional information if absolutely necessary, and explain clearly why you need it.

When Can You Refuse a SAR?

Here’s something many businesses don’t realise, you’re not obligated to comply with every single SAR. There are legitimate grounds for refusal:

You can refuse if the request is:

  • Manifestly unfounded and clearly made in bad faith or to cause disruption
  • Excessive from the same person making multiple similar requests
  • Would affect others’ rights by releasing the data that would unfairly impact other people’s privacy

You can charge a fee if:

  • The request is clearly excessive
  • The person is asking for multiple copies of the same information

But here’s the catch, you need to be able to justify your decision. The ICO doesn’t take kindly to organisations that refuse SARs without absolute solid reasoning.

Your Step-by-Step SAR Response Process

Step 1: Acknowledge Receipt (Within 48 Hours)

Let the person know you’ve received their request and when they can expect a response. This isn’t legally required, but it’s good customer service and shows you’re taking the request seriously.

Step 2: Verify Identity

You need to be sure you’re giving data to the right person. Ask for proof of identity, but keep it reasonable, a driving licence or passport copy usually suffices but only request if you aren’t certain who is making the request.

Step 3: Search Thoroughly

Check all systems where personal data might be stored:

  • Customer databases
  • Email systems (including archived emails)
  • CCTV footage
  • Paper records
  • Backup systems
  • Third-party systems you use

Step 4: Review and Redact

Remove any information that would identify other people (unless they’ve consented) or information is covered by legal privilege.

Step 5: Respond Clearly

Provide the information in an accessible format. If they’ve asked for it electronically, don’t print it out and post it. Include an explanation of what you’re providing and why. The preferable method would be a direct reply to their inital email.

The Real Cost of Getting SARs Wrong

Let’s be honest about what happens if you mess this up:

  • ICO fines can reach £17.5 million or 4% of annual turnover (whichever is higher)
  • Court orders forcing compliance
  • Reputational damage that can last years
  • Legal costs if the person takes further action

Most SAR failures aren’t about malicious non-compliance. They’re about businesses simply not knowing what they’re supposed to do.

Free GDPR Compliance Kit by BeanSecure an essential toolkit showcasing a Privacy Policy template, Data Protection Polic Template & Subject Access Request Checklist for UK Businesses

Making SAR Compliance Easier

The good news? You don’t have to navigate this alone. Having the right processes and tools can make SAR compliance straightforward rather than stressful.

Essential tools for SAR management:

  • A clear data inventory (know what data you have and where)
  • Standardised response templates
  • Identity verification processes
  • Secure data transmission methods

If you’re feeling overwhelmed by the thought of managing SARs, you’re not alone. Many UK businesses struggle with data protection compliance, which is why we created our free UK GDPR compliance kit. It includes step-by-step guides for handling SARs and everything you need to start your compliance journey.

For businesses wanting more comprehensive support, our AXIS AI system can help you navigate complex data protection scenarios with confidence. Think of it as having a data protection expert available 24/7 to guide you through the process. And the next best part is, we have a free demo available right now so you can try before you buy.

What This Means for Your Business

Whether you’re a sole trader, small business, or growing company, SARs are part of doing business in the UK. The key is being prepared rather than panicking when one arrives.

Remember, most people submitting SARs aren’t trying to catch you out, they just want to know what information you have about them. Treat them with respect, respond promptly, and you’ll find the process much less stressful than you might expect.

Ready to Get SAR-Ready?

Data protection doesn’t have to be complicated. With the right preparation and support, handling SARs can become just another part of your business operations rather than a source of stress.

Because at the end of the day, good data protection isn’t just about avoiding fines, it’s about building trust with your customers and running your business with confidence. if you have any questions regarding our Free Compliance Kit, AXIS AI or a general enquiry regarding our services, Contact Us today to start your UK complinace journey.

beansecure

beansecure

Marco Townson is a UK-based GDPR compliance expert and the founder of BeanSecure, specialising in making data protection simple and accessible for small businesses. With a focus on demystifying GDPR requirements, Marco helps SMEs, freelancers, and organisations navigate their data protection responsibilities without the legal jargon. As a trusted adviser in UK data protection, Marco has developed innovative compliance solutions that combine expert guidance with practical, easy-to-implement tools. His approach centres on empowering businesses to handle personal data confidently and lawfully, whilst avoiding the overwhelming complexity often associated with GDPR compliance. Through BeanSecure, Marco provides jargon-free GDPR guidance and support to creative agencies, charities, schools, and small business owners across the UK. His expertise spans Subject Access Requests (SARs), data protection audits, and practical compliance solutions that grow with your organisation. Connect with Marco on LinkedIn for regular updates on UK data protection, practical GDPR tips, and insights into making compliance straightforward for your organisation.

Leave A Comment

Your email address will not be published. Required fields are marked *